Server Certificate Verification

**Proud** · June 30th, 2002, 05:43 PM

I have IE6 and Win98SE. When in IE, if I go to Tools, Internet Options, Advanced and scroll down, there's the option to Check for server certificate revocation (requires restart)

Now, if I check this and restart, when I try to sign in to hotmail, IE then connects to crl.verisign.net port 80 (iirc, I've not got it checked now).
The thing is, this connection runs at up to 8kbps on my 56k, and as you might know, the average rate is about 4kbps!

This keeps going for at least a minute, and after testing it a few times I stopped, as the data transfer is getting large, and I'm wondering just wtf M$ is getting from my pc at such an unusual rate...
This effect seems only to be with hotmail, with that option enabled. I've run Ad-Aware, kept NAV up to date, and my Tiny Personal Firewall (which is detecting this).

Everything seems to run fine with the option disabled, and it would seem to be a system for making certain of a server's certificate validity, but is it needed for non-M$ servers (can you get non-M$ certificates, I don't know much about them in general) and is it safe to have this setting unchecked?

I'm guessing it's just another M$ 'feature' (bug/spyware/something I've blocked

) but if anyone has any more info, I'd be grateful

***jehnx*** · June 30th, 2002, 06:13 PM

Well, I wish I could help you on this one but I can't. However, just in case you didn't know, it's happening with HoTMaiL because HoTMaiL and MSN (owned by MS) are now "one," basically. They're both MS'.

**Proud** · June 30th, 2002, 06:19 PM

I didn't know that, thanks

Seriously, thanks, I guess this is just a M$ server (.Net) related feature, and so it's fine to have it unchecked (it seems to be everywhere else I go).

If there is a vital reason why I should have it checked, feel free to say so, but I way just mainly passing comment on this odd security option

***jehnx*** · June 30th, 2002, 06:47 PM

WTF? I got negs saying "gotta be balanced" and they knocked off 5 points. That's not crap, but it's the principal... f'ing idiots, I find out who you are I'll "balance" mine every single day on your a$$, hoe.

***ammo*** · June 30th, 2002, 07:12 PM

A server certificate is a piece of crypto "key" that proves that the server says that it is who it says it is. Certificates are used in ssl (https) connections to authentify the server (and/or the client but that's not used often..). Now the certificate is closely guarded. If the certificate had been compromised for a reason or an other, the organsiation that owns the certificate needs to have that certificate invalidated before it's normal expiration date. That process is called revocation. To verifiy if the certificate has been revoked, the browser has to check a CRL (Certificate Revocation List) to see if that particular certificate is listed. In this case the CRL is
hosted by crl.verising.com on the RSASecureServer.crl (check the attached screenshot of the certificate details). And if you check at http://crl.verisign.com, you will see that RSASercureServer.crl as a sign of 795K.

So, as you can see, checking for certificate revocation has nothing to do with sypware or trojans or anything of that sort. It is purely a security issue. Now the reason this isn't on by default is that it is relatively rare for a web server to have it certificate compromised, and the cost of downloading/checking the crl each time you do a ssl connection isn't really worth it.

Hope this helps.

Ammo

**Proud** · June 30th, 2002, 08:20 PM

A nice bit of detail and examples

jehnx, I feel kinda responsible as it's my thread, but it wasn't me, I don't pack that punch

Thread: Server Certificate Verification

Thread Tools

Display

Server Certificate Verification

Thank you

Posting Permissions